The globalization of the pharmaceutical industry has forced pharma companies to outsource, increasing their reliance on third-party vendors and suppliers. As this supply chain grows in complexity, companies find themselves grappling with a growing amount of cyber risk.
A data breach in the pharmaceutical industry can cost companies upwards of $5 million and costs can rise significantly if a third-party vendor or supplier is the cause of a data breach. For this reason, organizations must ensure the third-parties that exist within their supply chain remain secure.
Challenges in the Pharmaceutical Supply Chain
There are innumerable logistical, compliance, and cost-related issues that organizations must consider as they add third-parties and vendors to their supply chain.
From a logistics view, a growing number of touchpoints between production and consumers, shipments that require refrigeration, packaging coordination, and shipment delays related to third-parties all may increase risk.
This risk is compounded by compliance-related issues. The highly-regulated pharmaceutical industry must comply with a number of healthcare-related regulations, like HIPAA, and must also be sure that their third-party suppliers abide by rules set by supply regulations like Good Distribution Practice (GDP). If these companies and their third-parties do not comply, the organization becomes subject to costly fines – which can range between $10 million and $1 billion depending on various factors.
Pharmaceutical businesses must protect their organizations in this challenging risk environment by working to mitigate third-party cyber risk as they also work to limit their own.
Why Third-Party Risk Management is Critical for Pharma
Due to the high value of the intellectual property they house, pharmaceutical companies are subject to a high-level of cybercrime. In fact, according to a study conducted by Deloitte, the pharmaceutical industry has become the number one target of cybercriminals at a global level, especially in relation to IP theft.
For a pharma organization, data breaches can be devastating, costing companies grief over lost or stolen data and large sums of money to remedy any business hindrances caused by the breach. According to Ponemon’s Cost of a Data Breach report, data breaches cost pharmaceutical companies an average of $5.2 million. When a third-party supplier or vendor causes a breach, the average cost rises by $370,000.
In order to protect drug production and patient well-being, the industry must take care to minimize its cyber risk, specifically when it comes to third-parties.
Best Practices for Third-Party Risk Management in the Pharmaceutical Industry
It is crucial that pharmaceutical organizations work to limit the third-party risk that may stem from vendors and suppliers. Use the following seven best practices for developing your third-party risk management (TPRM) strategy:
1. Identify Your Suppliers
Pharmaceutical companies have a large, outsourced supply chain and it is imperative to understand exactly who your suppliers are at all points on the chain. Cyber risk can stem from any size or type of vendor, so make sure to list each third-party you work with – from small vendors who may work with only one department, to large vendors who develop drug labels and bottle caps.
2. Understand and Qualify Potential Cyber Risks
Each third-party has the potential to introduce numerous risks that must be identified at the start of your business relationship. Make note of the types of software, networks, devices, and data that each of your third-parties access. Then, develop a risk inventory and map them against a standardized risk taxonomy, estimate the likelihood and severity of each risk, and rank each third-party in order of potential risk.
3. Determine a Risk Rating
Once each third-party has been analyzed from a risk-perspective, assign a risk rating to each. Risk ratings generally range from low to high, meaning high-risk vendors receive the most attention when prioritizing risk monitoring strategies and determining your risk appetite.
4. Define Controls
It’s important to make sure that third-parties have the same level of risk tolerance as your organization. When developing a TPRM policy, you need to define the types of controls your third-parties should be using like encryption, regular security patching, and data segregation. If possible, these controls should be worked into your business contracts.
5. Measure Third-Party Compliance
After setting controls, you must set metrics to measure third-party compliance. These metrics may include time to risk detection, time to risk remediation, or time to risk recovery. Monitoring third-party compliance regularly requires a review of security questionnaires or self-audits provided by the third-party.
6. Align with a Risk Management Framework
In order to properly manage third-party risk, pharmaceutical organizations must develop a third-party risk management framework. Common frameworks like NIST and ISO help to identify which third-party vendors pose the greatest risk and require an immediate response.
7. Continuously Monitor Third-Parties
In order to ensure security, pharmaceutical companies must continuously monitor their third-party business partners. Many organizations incorporate platforms that can monitor ecosystem risk, providing real-time visibility into the complex IT risks associated with the rapidly expanding pharmaceutical attack surface.
The supply chain for the pharmaceutical industry is increasing in regulatory complexity, logistics, and costs. Globalization has expanded the threat landscape, leaving many companies forced to upgrade their risk-management capabilities. Now is the time to adopt the best practices highlighted above to protect drug IP and patient lives.
About Dr. Aleksandr Yampolskiy, CEO of SecurityScorecard
Dr.Aleksandr Yampolskiy is a globally recognized cybersecurity innovator, leader, and expert. He is co-founder and chief executive officer of SecurityScorecard and strives to create a new language for cybersecurity by enabling people to work collaboratively across the enterprise and with external parties to build a more secure ecosystem.